50
IPv4 Access Control Lists (ACLs)
Configuring and Assigning an IPv4 ACL
Line # Action
Any packet from any IPv4 SA to any IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE
will be IPv4 packets not specifically permitted or denied by the earlier ACEs.
n/a The Implicit Deny is a function the switch automatically adds as the last action in all ACLs. It denies (drops) any
IPv4 traffic from any source to any destination that has not found a match with earlier entries in the ACL. In this
example, the ACE at line 50 permits (forwards) any IPv4 traffic not already permitted or denied by the earlier
entries in the list, so there is no traffic remaining for action by the Implicit Deny function.
exit Marks the end of the ACL.
Allowing for the Implied Deny Function
In any ACL having one or more ACEs there will always be a packet match.
This is because the switch automatically applies an Implicit Deny as the last
ACE in any ACL. This function is not visible in ACL listings, but is always
present. (Refer to figure 9-10.) This means that if you configure the switch to
use an ACL for filtering either inbound or outbound IPv4 traffic, any packets
not specifically permitted or denied by the explicit entries you create will be
denied by the Implicit Deny action. If you want to preempt the Implicit Deny
(so that IPv4 traffic not specifically addressed by earlier ACEs in a given ACL
will be permitted), insert an explicit permit any (for standard ACLs) or permit
ip any any (for extended ACLs) as the last explicit ACE in the ACL.
A Configured ACL Has No Effect Until You Apply It
to an Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to an interface, it is present in the configuration, but not used (and
does not use any of the monitored resources described in the appendix titled
“Monitored Resources” in the Management and Configuration Guide for
your switch.)
You Can Assign an ACL Name or Number to an Interface
Even if the ACL Does Not Exist in the Switch’s Configuration
In this case, if you subsequently create an ACL with that name or number, the
switch automatically applies each ACE as soon as you enter it in the running-
config file. Similarly, if you modify an existing ACE in an ACL you already
applied to an interface, the switch automatically implements the new ACE as
soon as you enter it. (See “General ACL Operating Notes” on page 9-99.) The
switch allows a maximum of 512 ACLs (IPv4), and determines the total from
the number of unique ACL names in the configuration. (For more on this topic,
refer to “Monitoring Shared Resources” on page 9-100.)
9-41
To Next Page
Loading...
Need help?
General
